b"U.S. CONSUMER PRODUCT SAFETY COMMISSION\n\n\n\n\nOFFICE OF THE INSPECTOR GENERAL\n\n\n\n FEDERAL INFORMATION SECURITY\n        MANAGEMENT ACT\n              REPORT\n\n\n     Issued: November 15, 2011\n  Minor Edits Made: January 23, 2012\n\x0c                     Federal Information Security Management Act Report\n                                       Table of Contents\n\n                                                                          Page\nEXECUTIVE SUMMARY                                                         2\nOffice of the Inspector General\xe2\x80\x99s Results\n\nINTRODUCTION                                                              5\n\nBackground                                                                5\nObjective                                                                 6\nScope and Methodology                                                     6\n\nRESULTS OF EVALUATION                                                     7\n\nPrior Findings, Recommendations, and Actions Taken\n        Security Management Controls                                      7\n        Security Operational Controls                                     20\n        Security Technical Controls                                       28\n\nPerformance Measures                                                      37\n\nMANAGEMENT RESPONSE                                                       37\n\n\n\n\n                                                                                 1\n\x0c                                 Office of the Inspector General\n                           U.S. Consumer Product Safety Commission\n                                   Washington, D.C. 20207\n\n                 FEDERAL INFORMATION MANAGEMENT ACT REPORT\n\n                                   EXECUTIVE SUMMARY\n\n\nOffice of the Inspector General\xe2\x80\x99s Results\n\n        To meet the requirements of the Government Information Security Reform Act (GISRA),\nand its successor, the Federal Information Security Management Act (FISMA), the U.S.\nConsumer Product Safety Commission\xe2\x80\x99s (CPSC\xe2\x80\x99s) Office of the Inspector General (OIG)\ncontracted with Grant Thornton, LLP, to perform an independent audit of the CPSC\xe2\x80\x99s automated\ninformation security control procedures and practices in Fiscal Year 2001. The audit included\ntests of entity-wide controls and six of the CPSC\xe2\x80\x99s 49 application systems and their underlying\nelements. Grant Thornton used the National Institute of Standards and Technology Special\nPublication (SP) 800XX, Draft Self-Assessment Guide for Information Technology Systems,\nMarch 9, 2001, to test security controls. The results of the Audit of Automated Information\nSystem Security, August 16, 2001, and the annual follow-ups to it, in conjunction with the\nindependent reviews required by FISMA and audits with information technology aspects (CFO\nAct Audit), served as the basis for the IG\xe2\x80\x99s Fiscal Year 2011 evaluation. This review was\ncompleted in accordance with the Quality Standards for Inspections issued by the Council of\nInspectors General on Integrity and Efficiency\xe2\x80\x99s (CIGIE) Inspection and Evaluation Committee\nand not the GAGAS standards issued by the GAO.\n\n       This year\xe2\x80\x99s FISMA evaluation found that although much progress has been made, and the\nConsumer Product Safety Risk Management System (CPSRMS) and International Trade Data\nSystem Risk Assessment Methodology (ITDSRAM) both received security accreditations, the\nagency\xe2\x80\x99s General Support System (GSS LAN) is no longer authorized to operate, and there\nremains much work to do. It was noted that the current Authorization to Operate (ATO) for the\nGSS LAN expired on June 17, 2011, and management was unwilling to accept formally the risk\nposed by the operation of the GSS LAN with its current security posture. Therefore, an interim\nATO was granted as of June 27, 2011, to allow for the continuity of operations until a full ATO\ncould be obtained. A full ATO for the GSS LAN is anticipated by December 31, 2011.\nGranting a full ATO at that time is contingent upon the successful mitigation or reduction of risk\nassociated with the three known high risk security weaknesses. The three weaknesses preventing\nthe agency from granting a full ATO to the GSS LAN are: (1) multifactor authentication was not\nsystematically required to access the VPN; (2) an Information System Contingency Plan (ISCP)\nwas not documented and tested; and (3) baseline security configurations for agency hardware\nand software have not been documented and implemented yet.\n\n        Management plans to remediate fully the multifactor authentication security weakness in\ntwo phases. The first phase was substantially complete as of September 30, 2011. All high-risk\nusers (authorized teleworkers) are now required to log in systematically to their laptops using the\n\n                                                                                                 2\n\x0cPersonal Identity Verification (PIV) card. Once authorized teleworkers were required to\nauthenticate to the network using the PIV card, the risk was reduced to moderate. The second\nphase of this remediation will require nonteleworkers to authenticate to the GSS LAN using the\nPIV card. This phase is scheduled to be completed by December 31, 2011. The other high-risk\nsecurity weaknesses preventing the GSS LAN\xe2\x80\x99s ATO are the lack of a tested ISCP and the lack\nof implemented baseline security configurations, both of which are scheduled to be remediated\nby December 31, 2011.\n\n        The OIG noted 65 findings (15 of which are high-risk issues) in this year\xe2\x80\x99s review; please\nsee below for additional details. The IT challenges facing the agency are particularly relevant at\nthe present time, as the agency is dealing with the implementation of the Consumer Product\nSafety Improvement Act (CPSIA), in general, and more specifically, with the CPSIA\xe2\x80\x99s particular\nimpacts on the agency\xe2\x80\x99s IT operations; in addition, the agency is involved in the implementation\nof the public facing database (CPSRMS).\n\n       As was the case last year, the general theme of the reviews indicated a lack of quality\nsystem reporting, as well as insufficient evidence documenting the control activities performed\nby those responsible for the processes reviewed. These deficiencies, at least in part, resulted\nfrom inadequate and dated policies and procedures. In addition, the existing policies and\nprocedures were not enforced throughout the fiscal year, and the tools to facilitate the required\nsystem reporting were inadequate. However, although many of the policies have been updated,\nand several of the procedures have been made more effective, these policies were not\ndisseminated to all of the resources with key procedural responsibilities. Also, many more\nimprovements to these documents are still required, as noted below. Additionally, to improve\nsystem monitoring and reporting, several new tools (e.g., Zenworks, Novell Sentinel, Tenable)\nwere deployed. However, these tools have not been implemented fully. Although there is a\ncommitment to remediate these issues, management has indicated that sufficient resources are\nnot available to address them adequately.\n\n        Remediation strategies have been developed to address these known vulnerabilities, with\na priority placed on the highest risk issues. The CPSC is in the process of remediating these\nissues; however, the full mitigation of these risks will require a significant amount of additional\neffort. For example, the lack of baseline security configurations is preventing the agency from\ngranting a full ATO to the GSS LAN. The CPSC is taking steps to ensure that the issue is\nremediated, including: implementing tools to catalog hardware and software on the network;\ndrafting baseline configurations for the known hardware and software; and implementing tools to\nassess and report on known variances to the configuration baselines. However, much additional\nwork is required to implement this process fully and to ensure that proper configuration\nmanagement can be enforced.\n\n        Another example of remediation activity undertaken by CPSC management to eliminate\nexisting vulnerabilities and improve overall system security is the proposed implementation of a\nContinuous Monitoring Plan. The implementation of this plan will result in the remediation of\nseveral vulnerabilities, simply due to the improvements required in system reporting to facilitate\nthe Continuous Monitoring strategy. The improvement in the reporting, as well as the resulting\nanalysis made possible by the enhanced reporting, will allow issues in other processes (such as\n\n                                                                                                 3\n\x0cRemote Access governance, Identity Management, Security Awareness Training and Security\nIncident Reporting) to be identified, quantified, and remediated much more efficiently and\neffectively than currently is possible. This, in addition to the harmonizing of processes required\nfor reporting, will result in a significant improvement in overall system security. However, it is\nimportant to note that these remediation tasks were scheduled to be implemented after the\nFISMA review in FY 2010, and they still have not been implemented fully.\n\n\n\n\n                                                                                                4\n\x0c          FEDERAL INFORMATION SECURITY MANAGEMENT ACT REPORT\n\nINTRODUCTION\n\nBackground: On October 30, 2000, the President signed into law, the Fiscal Year (FY) 2001\nNational Defense Authorization Act, which included Title X, Subtitle G, the Government\nInformation Security Reform Act (GISRA). On December 17 2002, GISRA was superseded\nwhen the President signed into law the Electronic Government Act. Title III of this Act, the\nFederal Information Security Management Act (FISMA), along with OMB policy, lay out a\nframework for annual IT security reviews and reporting and remediation planning. FISMA seeks\nto ensure proper management and security for information resources supporting federal\noperations and assets. The Act requires Inspectors General to perform an annual independent\nevaluation of their agencies\xe2\x80\x99 information systems\xe2\x80\x99 security programs and practices.\n\n    To establish a baseline to help it meet the requirements outlined above, the CPSC\xe2\x80\x99s Office of\nthe Inspector General (OIG) performed an independent audit of the CPSC's automated\ninformation security control procedures and practices in FY 2011. The requirements of the audit\nincluded:\n\n-evaluating and testing the internal controls defined in the 2011 FISMA metrics (provided by\nOMB), evaluating related weaknesses and identifying the degree of risk for the related weakness;\n\n-testing the effectiveness of the information security controls defined in the 2011 FISMA metrics\non all of the CPSC\xe2\x80\x99s accredited, or previously accredited systems;\n\n-assessing whether the CPSC\xe2\x80\x99s information security policies, procedures, and practices comply\nwith the federal laws, regulations, and policies outlined in the 2011 FISMA metrics;\n\n-recommending improvements, where necessary, in security record keeping, internal security\ncontrols, and system security; and\n\n-identifying the degree of risk associated with identified internal security controls weaknesses.\n\n   The review included tests of the entity-wide, system specific, and hybrid controls for the\nGSS LAN, CPSRMS, and ITDSRAM applications controls, as defined in the 2011 FISMA\nmetrics. The OIG used the NIST and OMB guidance referred to in the 2011 FISMA metrics to\nassess the security controls. The objective of the review was to determine whether the CPSC\xe2\x80\x99s\nautomated information system was safeguarded adequately.\n\n   In its report, Audit of Automated Information System Security, the OIG identified security\nweaknesses in the CPSC\xe2\x80\x99s management, operational, and technical controls policies, procedures,\nand practices. The conditions of these controls could permit the modification or destruction of\ndata, disclosure of sensitive information, or denial of services to users who require the\ninformation to support the mission of the CPSC. In addition, it was reported in 2001 that the\nCPSC did not have a capital budget for IT security. Without appropriate capital budget planning,\n\n\n                                                                                                    5\n\x0cGrant Thornton was concerned that CPSC\xe2\x80\x99s management might not be able to implement and\nmaintain resources properly to ensure system safeguards.\n\n   To ensure proper coverage and mitigation of the risks identified by the OMB, the CPSC is\nrequired to perform its own testing procedures to assess the design and implementation of the\nOMB-defined FISMA requirements. (Please see the Scope and Methodology for additional\ndetails). The CPSC OIG reviewed the 2011 GSS LAN, CPSRMS and ITDSRAM Risk\nAssessments, Security Assessment Plans (SAPs), and SSPs (System Security Plan), as well as\nthe ITDSRAM SAR, which were developed in-house to update the OIG\xe2\x80\x99s understanding of the\ncurrent processes and procedures employed by the CPSC.\n\nObjective: In compliance with FISMA, to perform an annual independent evaluation of the\ninformation security program and practices of the agency in order to determine the effectiveness\nof such program and practices.\n\nScope and Methodology: The evaluation was conducted from August to October 2011. This\nevaluation consisted of a review of the following defined agency processes within the boundaries\nof the GSS LAN, CPSRMS and ITDSRAM applications:\n\n- Risk Management\n- Configuration Management\n- Incident Response and Reporting\n- Security Training\n- The Plan of Actions and Milestones (POAM)\n- Remote Access Management\n- Identity and Access Management\n- Continuous Monitoring Management\n- Contingency Planning\n- Contractor Systems\n- Security Capital Planning\n\n    This review constitutes both a follow-up of the findings and recommendations resulting from\nearlier audits, as well as a review of the CPSC\xe2\x80\x99s implementation of the IT security criteria as\ncurrently defined by FISMA. However, this year\xe2\x80\x99s review does not consider the status of the\nCPSC Data Privacy Program, as current OMB guidance no longer requires this reporting by the\nOIG.\n\n    The statuses of each of these topics were reviewed and discussed with the Chief\nInformation Officer, Director of Information Technology and Technical Services, Information\nSystems Security Officer, and relevant members of their staffs. Documentation developed by\nboth the CPSC officials and contractor personnel was reviewed, as necessary.\n\n\n\n\n                                                                                               6\n\x0c                                RESULTS OF EVALUATION\n\nPrior Findings, Recommendations, and Actions Taken: The FY 2001 audit of the CPSC\xe2\x80\x99s\ninformation security program revealed several material weaknesses in the CPSC\xe2\x80\x99s security\npolicies, procedures, and practices. Specifically, CPSC management had not implemented\nsufficient management, operational, and technical controls. All previously identified material\nweaknesses have now been corrected. However, due to a combination of budget limitations and\nthe new security system requirements promulgated by NIST and OMB, the CPSC failed to\naccomplish all of the new security requirements by their implementation target dates. All\nrecommendations are considered open until all of the underlying weaknesses have been\ncorrected. A summary of Prior Findings, Recommendations, and Actions Taken follows:\n\n1. Security Management Controls\n\n  Prior Finding: Security management controls are enterprise-wide procedures for managing\nand assessing the risks and security controls of a system over its life cycle. Because CPSC\nmanagement had not implemented sufficient management controls in the areas of risk\nmanagement, review of security controls, life cycle management, authorized processing, and\nsystem security planning, the techniques and concerns that normally are addressed by\nmanagement were not implemented fully. OMB Circular A-130, Appendix III requires sufficient\nmanagement controls in these areas. This condition appears to have been due to CPSC\nmanagement not having the necessary resources to make the implementation of Security\nManagement controls a priority.\n\n  Prior Recommendation: CPSC management should implement sufficient management\ncontrols in the areas of risk management, review of security controls, life cycle management,\nauthorized processing, and system planning to ensure efficient and effective management of the\nIT systems and the inherent risk associated with operating these systems.\n\n   Actions Taken: Significant progress has been made since 2001 to address this issue, but gaps\nremain. The agency has assigned an Information Systems Security Officer and one staff member\nto oversee agency IT security. The agency has developed an Information System Security Plan\n(SSP) for each of the accredited systems (the GSS LAN, CPSRMS, and ITDSRAM). The\nagency hired outside consultants to perform independent security control assessments each year\nsince the requirement was enacted by NIST in 2006, except for Fiscal Years 2006, 2009, and\n2011. The agency has also developed and formalized, although not fully implemented, a policy\nand procedure for establishing a certification and accreditation process, which conforms to the\nNIST framework. This, in addition to the development of a System Development Lifecycle Plan\n(SDLC) and Business Continuity Plan adequately remediated all previous material weaknesses in\nthose areas in FY 2003, and allowed the GSS LAN to obtain a full ATO in 2004.\n\n  In FY 2005, in accordance with new OMB guidance, the CPSC began using NIST SP 800-26\nto perform agency security self-assessments, and it also began implementing new system\nconfiguration policies. Efforts continue in an attempt to bring the CPSC into full compliance\nwith all other FISMA and OMB requirements.\n\n\n                                                                                             7\n\x0c  In FY 2006, new security system requirements promulgated previously by NIST and OMB\nbecame mandatory. In order to retain accreditation and certification of its information systems,\nthe CPSC was required to have its security controls independently tested and evaluated annually.\nDue to funding limitations this was not done in FY 2006.\n\n  In order to meet the accreditation and certifications requirements outlined above, and to\ndetermine whether the security controls identified for the CPSC Network General Support\nSystem in the System Security Plan were implemented correctly and effectively, during FY\n2007, the Office of the Inspector General conducted a Security Test and Evaluation (STE\nEvaluation) in accordance with NIST SP 800-53. The STE Evaluation identified 63\nvulnerabilities for the CPSC Network General Support System. Of these, six were found to be\nhigh-risk vulnerabilities; 31 were found to be medium-risk vulnerabilities; and 26 were found to\nbe low risk vulnerabilities. The STE Evaluation Report included a planned mitigation with an\nassociated due date for each vulnerability identified.\n\n  In FY 2008, the CPSC regained system certification. This was accomplished after the\nmitigation of the six high-risk vulnerabilities found in the STE Evaluation and the successful\napproval and testing of the CPSC\xe2\x80\x99s IT Contingency Plan.\n\n   In FY 2009, a fundamental problem with the CPSC\xe2\x80\x99s Plan of Actions and Milestones (POAM)\nwas found. OMB has determined that agency POAMs must reflect known security weaknesses\nwithin an agency and, \xe2\x80\x9c. . . shall be used by the agency, major components, and program\nofficials, and the IG as the authoritative agency management mechanism to prioritize, track, and\nmanage all agency efforts to close security performance gaps.\xe2\x80\x9d Although changes in 2009 had\nbeen made to help the agency address this shortcoming, historically, the POAM had not been\nused by the CPSC as an affirmative management tool in addressing security weaknesses.\nAlthough historically it had done a good job of documenting known security weaknesses and\nprioritizing them, the agency had not used the POAM to track or project the resources or\nmilestones necessary to address these weaknesses (as required by the OMB). As a result, the\nagency lacked historical data regarding its past efforts, and it failed to take advantage of a\npowerful planning tool to address current and future IT security challenges. Moreover, as of the\nconclusion of the FY 2011 FISMA review, it was noted that the POAM still had not been\nimplemented adequately. Milestones and milestone dates were not documented adequately for\neach of the known security weaknesses. Also, the related capital investments were not\nreferenced adequately for each of the security weaknesses identified in the POAM.\n\n   Our FY 2009 review determined that the CPSC IT System had maintained its certification and\naccreditation and that the system\xe2\x80\x99s security controls, in the opinion of management, were tested\nand reviewed insofar as the agency monitored the system continuously. However, the\nContingency Plan, again, had not been maintained and was not tested within 2009 or 2010. Due\nto changes to the agency operating environment since the drafting of this plan, management has\ndecided that a new Business Continuity Plan is necessary. To address this issue, management\nhas contracted an outside consultant, Evoke, to draft Information Contingency Plans (ISCP) for\nthe GSS LAN and each of the accredited major applications. This project is scheduled to be\ncompleted by December 31, 2011. Once the ISCPs are drafted and tested, the agency is planning\nto develop a full Continuity of Operations Plan (COOP).\n\n                                                                                              8\n\x0c   In FY 2010, the CPSC contracted SecureIT to perform the annual GSS LAN Risk Assessment,\nSecurity Test and Evaluation (ST&E), Security Assessment Report (SAR), and work on\ndeveloping the SSP and defining a Continuous Monitoring process. This allowed the CPSC to\nidentify risks, define compensating controls, and outline remediation actions. The agency\nextended this contract in 2011 and increased its scope to include the CPSRMS application;\nhowever, due to staffing constraints by the contractors, these assessments could not be performed\nby September 30, 2011. The independent security control assessments were scheduled to be (and\nwere) completed on October 30, 2011. However, due to the timing of these assessments, the\nOIG was unable to include the results of these assessments in this report.\n\n   Also in FY 2010, it was noted that the Certification and Accreditation (C&A) policy did not\ndefine objective, measurable criteria that could be used to determine if an in-scope system could\nbe certified and accredited, recertified and reaccredited, or conversely, decertified. Furthermore,\nalthough the C&A policy addressed a process to track continuously changes to information\nsystems that may necessitate reassessment of control effectiveness, as defined by SP 800-37, no\nprocess currently in place to track continuously and document the results of these changes.\nAdditionally, as of the FY 2011 review, the policy still has not been updated.\n\nRisk Management Review:\n\n   It was noted that the C&A policy does not include the following key NIST required elements:\nthe process by which entities coordinate to perform critical risk management tasks (e.g., how\nentities determine the risk to business processes or the organization as a whole); the requirement\nfor agency officials to review and update these policies periodically; the frequency with which\npolicies and procedures must be reviewed/updated; and how often the policies and procedures\nare to be disseminated to resources with key policy responsibilities.\n\n   Furthermore, the C&A policies do not address the creation of the Risk Executive (function)\nrole or the governing body, required to provide oversight of the risk management process.\nWithout these functions in place and without their roles defined and established clearly, the\norganizational perspective of risk may be lost. Moreover, although the C&A policy requires the\nagency to create a Risk Management Strategy, and although the policy outlines what typically is\nincluded in a Risk Management Strategy (e.g., the tools and procedures used to assess risk within\nthe agency, the process by which risks are prioritized, the process by which risk is monitored and\nOrganizational Risk Tolerance), this policy does not define what must be included in the\nagency\xe2\x80\x99s Risk Management Strategy or the procedures for developing such a strategy.\n\n   Moreover, the Enterprise Architecture (EA) process was not developed fully, nor was it\nintegrated effectively into the agency\xe2\x80\x99s risk management process. Also, the process to define\nand accept risk when authorizing operation of a system is inadequate. No guidance has been\nincluded in any of the agency policies, procedures, or plans to ensure that existing risks are\nwithin the organizational risk tolerance. Without independent criteria, such as organizational\nrisk tolerance, to provide guidance on what is considered an acceptable risk, the decision to\nauthorize a system to operate is not justified sufficiently. Currently, there is an informal process\nto determine whether the risk associated with operating an information system is deemed\n\n                                                                                                  9\n\x0cacceptable. If the information system has no high-risk security weaknesses, the risk of operating\nthe system is deemed acceptable. The decision to assign criticality to the security weaknesses on\nthe POAM was based on an undocumented, informal risk assessment performed by the CPSC\nsecurity team in conjunction with the control assessors.\n\n   It was also noted that the security documents were not maintained consistently and did not\nsatisfy fully the OMB and NIST documentation requirements. Control descriptions in the\nCPSRMS and ITDSRAM SSPs did not provide sufficient detail. Additionally, it was noted that\nthe GSS LAN, and CPSRMS Security Assessment Plan do not document how the selected\nassessment procedures are to be optimized in order to ensure maximum efficiency. Moreover,\nthe GSS LAN security documents (the GSS LAN SSP, SAR, and Risk Assessment) were not\nmaintained throughout the year to provide an up-to-date view of the GSS LAN security posture.\nThe GSS LAN security documents were not updated for 9 1/2 months prior to the interim ATO\nbeing granted to the GSS LAN. Additionally, a major change was made to the GSS LAN\nenvironment on March 11, 2011, when CPSRMS was implemented. However, the GSS LAN\nsecurity documentation was not updated accordingly, as is required. Periodic security status\nreports, which document the assessment of control effectiveness and changes to the GSS\nLAN/major applications, were not developed and presented to the Authorizing Officials, Risk\nExecutive (function) and Information System owners, as required by NIST SP 800-37. The\nannual security control assessment and accompanying SAR, required by the C&A policy, were\nnot performed and documented for the GSS LAN and CPSRMS application. Therefore, the GSS\nLAN and CPSRMS Risk Assessments were not updated to include the results of the security\ncontrol assessment, in FY 2011. Moreover, continuous monitoring reports were not developed\nand distributed to senior management or OMB on a periodic basis, as prescribed by OMB M 10-\n15.\n\nRisk Management Recommendations:\n\n1. The agency should develop standalone Risk Management policies and procedures or update\nthe C&A policy and ensure that it includes the following additional components:\n\n       (a). The requirement for a governance structure to be implemented to manage risk from\nan organizational, mission, and solution level. [e.g., the Risk Executive (function) and related\ngovernance bodies (Executive Risk Council)]. This policy should also include the roles and\nresponsibilities for each resource involved within the governance of the risk management\nprocess.\n\n       (b). What must be included in the agency's Risk Management Strategy (e.g., tools and\nprocedures used by the agency to assess risk, the process by which risk is prioritized, how\norganizational risk tolerance is to be defined and measured against, and how risk is going to be\nmonitored throughout the year).\n\n       (c). The process by which the Enterprise Architecture is used in the risk management\nprocess.\n\n\n\n\n                                                                                              10\n\x0c        (d). The process by which decisions at the business process and solutions level are guided\nby the impact to the organization (e.g., the creation of an Executive Risk Council).\n\n        (e). A requirement that the authorization decision for an information system is based on\nthe system\xe2\x80\x99s operation within the defined organizational risk tolerance.\n\n       (f). Identifying who is required to sign off on the ATO and to whom the security\nauthorization documents are disseminated.\n\n       (g). The process by which the organizational entities coordinate with each other to\naddress the requirements of the related policies and procedures.\n\n        (h). A requirement for the periodic review and updating of information security policies\nand procedures should be documented in a separate governing policy or within the individual\npolicies.\n\n       (i). The frequency with which the organization reviews/updates the policies and\nprocedures should be documented in a separate governing policy or in the individual policies.\n\n       (j). The frequency with which the organization disseminates formal documented\nprocedures to elements within the organization having associated roles and responsibilities.\n\n       (k). A distribution list and a requirement that the policies be distributed to all resources\nwith key responsibilities outlined in the policies or procedures.\n\n2. Develop and document a robust risk management process, which is lead by a Risk Executive\n(function) and reports to a governing board that includes senior management. The Risk\nManagement Strategy should be developed and implemented using the NIST SP 800-37\nguidance to ensure all key requirements are included.\n\n3). The organization-wide Risk Management Strategy should be developed and include:\n\n       (a). techniques and methodologies that the organization plans to employ to assess\ninformation system-related security risks and other types of risk of concern to the organization;\n\n        (b). methods and procedures that the organization plans to use to evaluate the significance\nof the risks identified during the risk assessment;\n\n       (c). types and extent of risk-mitigation measures that the organization plans to employ to\naddress identified risks;\n\n       (d). level of risk that the organization plans to accept (i.e., risk tolerance);\n\n      (e). how the organization plans to monitor risk on an ongoing basis, given the inevitable\nchanges to organizational information systems and their environments of operation; and\n\n\n\n                                                                                                11\n\x0c       (f). the degree and type of oversight that the organization plans to use to ensure that the\nrisk management strategy is being carried out effectively.\n\n4). Additionally, an addendum should be added to each of the SARs, as the NIST SP 800-37\nguidance suggests, providing agency officials with the opportunity to comment on the assertions\nmade by the independent assessors. This will provide management with an opportunity to\ndocument the differences of opinion between the independent assessor and the CPSC Security\nTeam. This will also allow agency management to justify any decisions not to include items\ndeemed high-risk security vulnerabilities by the independent assessors in the POAM.\n\n5). The functional descriptions of the security controls for CPSRMS and ITDSRAM applications\nmust be updated to include sufficient detail to allow an assessor to test the control without\nobtaining further clarification from the developers. These control descriptions must include\nplanned inputs, expected behaviors, and expected outputs. Additional guidance for this process\nis outlined in NIST SP 800-37. Moreover, control owners should be identified based on IT\nsystem responsibilities, and the control owners should be responsible for maintaining the control\ndescriptions to ensure the information is as current as possible. Additionally, all changes to the\nsecurity controls by the control owners should be approved by the Security Team.\n\n6). The agency should develop a process for consolidating and combining selected assessment\nprocedures for the GSS LAN and CPSRMS, where possible.\n\n7). The agency should document the process for consolidating and combining selected\nassessment procedures in the GSS LAN and CPSRMS Security Assessment Plan.\n\n8). The GSS LAN SSP should be updated each time a change with a security impact is made to\nthe GSS LAN, such as the implementation of CPSRMS. The GSS LAN SSP should be updated\nregularly and serve as a \xe2\x80\x9cliving document,\xe2\x80\x9d representing the most up-to-date security information\nrelated to the GSS LAN. Additionally, the formal Risk Assessment, along with all other security\ndocuments, should be updated each time a major change occurs to the system; and these\ndocuments should be used in any decision to reaccredit the system or authorize the system to\noperate.\n\n9). The agency should satisfy all high-risk security weaknesses and obtain a current\nAuthorization to Operate for the GSS LAN.\n\n10). Security status reports should be developed to describe the results of the ongoing monitoring\nactivities performed by the agency. These reports should address vulnerabilities in the\ninformation systems and their environments of operation discovered during the security control\nassessment, Security Impact Analyses, and security control monitoring activities. Additionally\nthe security status reports should include how the agency intends to address those vulnerabilities.\nAt a minimum, the security status reports should describe or summarize key changes to SSPs,\nSARs, and POAMs, as well as the results of the scans described in the Continuous Monitoring\nPlan. This information may be combined with the continuous monitoring reports required by the\nOMB on a monthly basis to make the process more efficient.\n\n\n\n                                                                                                12\n\x0c11). The Authorizing Official, System Owners, and Risk Executive (function) should be\npresented the security status reports on a periodic basis to determine whether a formal\nreauthorization action is necessary.\n\n12). The agency should perform the security control assessment on the selected NIST SP 800-53\ncontrols for the GSS LAN and CPSRMS application, as soon as possible.\n\n13). Perform the security control assessment on the selected NIST SP 800-53 controls for the\nGSS LAN and CPSRMS application as soon as possible, and update the Risk Assessments based\non these results, and present this information to the Authorizing Official and System Owner.\n\n14). As per OMB M 10-15, continuous monitoring reports should be developed and provided to\nthe OMB on a monthly basis. Additionally, the Information System Owners and Chief\nInformation Officer should be presented with these continuous monitoring reports for their\nreview on a monthly basis, to assist them in managing actively the risks that are known.\n\nThe monthly Continuous Monitoring Reports should include the following information, as\nprescribed for in the Continuous Monitoring Plan:\n\n       (a). the results from monthly configuration management scans (FDCC scans, as well as,\nscans for compliance with all of the relevant information systems (e.g., Microsoft Windows\nServer 2008, Research In Motion (RIM) Blackberry Server, Database Servers, Web Servers);\n\n       (b). the results from monthly vulnerability scans (Patch management compliance, client\nvulnerability and server vulnerability scans);\n\n       (c). the results from monthly asset management scans which identify hardware and\nsoftware assets on the network; and\n\n       (d). the results from the event and incident management processes. This process includes\nthe identification of unauthorized privileges, unauthorized access, stagnant accounts, and\nunauthorized hardware/software.\n\nPOAM Review:\n\n   In FY 2010, it was noted that the GSS LAN POAM was not formalized and implemented\nfully, and program officials were not notified of the progress of the security issues identified in\nthe GSS LAN POAM. Although gaps still remain, the agency has implemented formally a\nPOAM for the GSS LAN and has made the following improvements in this area: how the\nsecurity weaknesses are identified is now documented and mapped to the source document; a\nscheduled completion date for each security weakness is now documented, although\nundocumented changes to this date are made; a remediation activity owner has been assigned to\neach security weakness; resources and timeline requirements are now documented; and agency\nofficials are now provided with quarterly updates on changes to the GSS LAN POAM.\nAdditionally, some remediation milestones are documented, although changes to milestones, and\nthe related justifications, are not tracked and documented. Moreover, the estimated funding\n\n                                                                                                13\n\x0cresources required to remediate the security weakness, as well as the source of that funding, are\nnot documented consistently. In addition, GSS LAN POAM items, which are associated with\ninvestments identified in the IT Investment portfolio, do not include Unique Project Identifiers\n(UPIs) that allow agency officials to trace the security weakness to the budget documentation.\n\n  It was noted in the FY 2011 assessment that the CPSRMS and ITDSRAM applications used\nPOAMs to document and track material security weaknesses. However, the ITDSRAM was\nmissing the following OMB-04-25 required information: key milestones (along with their\nassociated completion dates); the estimated funding resources required to resolve the weakness;\nthe agency\xe2\x80\x99s justification for the costs associated with the remediation activity; and changes to\nmilestones tasks/dates.\n\n   It was also noted as part of the FY 2011 assessment that the agency had not performed an\nannual security control assessment for the GSS LAN and CPSRMS by September, 30, 2011, as is\nrequired by NIST. Therefore, the agency could not document the security risks and\nvulnerabilities that may have been uncovered as a result of these assessments in the latest version\nof the POAM. The CPSC should perform and document a formal review of its technical security\ncontrols on a regular basis and include the results of these assessments in the agency POAMs.\n\nPOAM Recommendations:\n\n1). Update the C&A policy to include a requirement to review and approve the policy on an\nannual basis or develop an entity-level policy that requires all IT security policies and procedures\nto be reviewed and approved on an annual basis.\n\n2). The \xe2\x80\x9cEstimated Completion Date\xe2\x80\x9d should be static\xe2\x80\x94once created, it should not change. The\nactual completion date should be documented in the \xe2\x80\x9cStatus\xe2\x80\x9d field in the POAM, if different than\nthe estimate.\n\n3). The key milestones documented in the POAM should include an estimated completion date\nfor all of the security weaknesses tracked on the POAM.\n\n4). All changes to the milestones or milestone dates should be documented in the POAM.\n\n5). POAM items that are associated with investments identified in the IT Investment portfolio\nshould include UPIs to allow agency officials to trace the security weakness to the budget\ndocumentation (This recommendation also appears in the Security Capital Planning section of\nthe report).\n\n6). All fields defined within the SharePoint tool used to track the security weaknesses should be\ncompleted for each security weakness.\n\n7). The following information should be captured in the ITDSRAM POAM for all security\nweaknesses associated with the ITDSRAM application: key milestones (along with their\nassociated completion dates); the estimated funding resources required to resolve the weakness;\n\n\n\n                                                                                                 14\n\x0cthe agency\xe2\x80\x99s justification for the costs associated with the remediation activity; and changes to\nmilestones tasks/dates.\n\nContinuous Monitoring Review:\n\n Although a security control assessment was performed in FY 2010, and was documented in the\nSSP, a full Continuous Monitoring strategy had not been approved or implemented at that time.\nAdditionally, documented policies and procedures for continuous monitoring did not exist.\nTherefore, an outside vendor, SecureIT, was engaged to develop a Continuous Monitoring Plan.\nThe project to draft this document began on January 1, 2011, and was concluded on August 15,\n2011, with the approval of the 2011 Continuous Monitoring Plan.\n\n   It was noted, however, that the Continuous Monitoring Plan was not implemented. Security\nImpact Analyses (SIAs) are not performed on system changes. Also, a tool set to facilitate the\ncontinuous monitoring reporting was requested and obtained by the CPSC Security Team;\nhowever, due to funding issues, procurement was delayed and the tools were not implemented\nfully by the end of FY 2011. As such, the agency does not inventory hardware and software\nadequately, report on configuration management compliance, and report on patch management\ncompliance and system vulnerabilities.\n\n   The reports outlined in the Continuous Monitoring Plan cannot be developed and presented to\nthe Authorizing Official for periodic review due to the lack of SIAs and properly documented\nconfiguration management, patch management, and system vulnerability scans. Additionally,\nthe annual Security Control Assessments for the GSS LAN and CPSRMS application were not\nperformed and the annual Security Status Report was not drafted and presented to the\nAuthorizing official as required by the Continuous Monitoring Plan.\n\nContinuous Monitoring Recommendations:\n\n1) Develop and implement an OMB/NIST compliant Continuous Monitoring Policy and\nattendant procedures. These should include requirements to monitor logs actively, detect\nunauthorized elevation of privileges, identify unauthorized devices on the network, and monitor\nconsistently the security architecture for vulnerabilities.\n\n2). Security Impact Analyses (SIAs) should be performed and the results documented, for all\nsystem changes and reported in the Security Status Reports. (This recommendation also appears\nin the Configuration Management section of the report).\n\n3). Deploy the Zenworks tool to all clients and develop and maintain a current inventory of all\nclient hardware and software. (This recommendation also appears in the Configuration\nManagement section of the report).\n\n4). Implement fully the Tenable solution to facilitate the development of a current inventory of\nall non-client hardware and software. (This recommendation also appears in the Configuration\nManagement section of the report).\n\n\n\n                                                                                              15\n\x0c5). The Tenable tool should also be implemented fully to assess and report on the results of the\nvulnerability scans; to assess compliance with the agency\xe2\x80\x99s configuration baselines; and to assess\ncompliance with the agency\xe2\x80\x99s patch management program. (This recommendation also appears\nin the Configuration Management section of the report).\n\n6). Continuous monitoring reports, based on the information gathered in recommendations 1\xe2\x80\x934,\nshould be presented to the Authorizing Official and should include the results of the system\nscans, as well as critical events identified as part of the Incident Management process (e.g.,\nidentification of unauthorized privileges, unauthorized access, stagnant accounts, and\nunauthorized hardware/software).\n\n7). A security control assessment should be performed for the GSS LAN and CPSRMS\napplication. The results of this assessment should be documented in the GSS LAN and\nCPSRMS SARs, and these resulting changes should be documented in the Security Status\nReports.\n\n8). The annual Security Status Report should be drafted and presented to the Authorizing\nOfficial.\n\nContingency Planning Review:\n\n  In FY 2010, it was noted that the agency had not formalized or tested a Business Impact\nAnalysis (BIA), Business Continuity Plan (BCP), Disaster Recovery (DR) Plan or Information\nSystem Contingency Plan (ISCP) for the GSS LAN. This was still not remediated as of the FY\n2011 assessment. This is one reason the GSS LAN lost its security certification. However, in\nSeptember 2011, the agency hired a contractor, Evoke, to develop an ISCP for the GSS LAN and\nCPSRMS. According to management, this remediation will reduce the risk sufficiently to allow\nagency officials to accept the residual risk and recertify the GSS LAN. These plans are\nscheduled to be completed and tested by December 30, 2011. In FY 2010, it was noted that data\nbackups were not restored periodically to ensure that data had not become corrupted. This was\nremediated in FY 2011, and the agency now restores backup media on a quarterly basis.\n\n  It was also noted that no formal policies and procedures exist that govern the contingency\nplanning process. These policies and procedures are expected to be finalized by December 30,\n2011. Additionally, the agency had not performed and documented a Business Impact Analysis,\ndeveloped or tested a Continuity of Operations Plan (COOP), Disaster Recovery (DR) Plan,\nBusiness Continuity Plan (BCP), or Cyber Incident Response Plan, as required by NIST SP 800-\n34. Each of these, except the Cyber Incident Response Plan, will be completed as part of the\nEvoke contract; however, a completion date for these tasks was not formally established. The\nCyber Incident Response Plan is expected to be developed in-house; however, an estimated\ncompletion date was not established.\n\n  The alternative storage site is approximately 11 miles away from the agency's primary data\ncenter. Due to this close proximity, the alternative storage site is subject to the same threats as\nthe primary site. The agency has decided to accept the risk associated with the close proximity\nbecause the cost would be too high to locate these facilities in another geographic region. It was\n\n                                                                                                16\n\x0calso noted that the agency has not established an alternative processing site. Evoke has been\ncontracted to assist the agency in establishing an alternative processing site; however an\nestimated completion date was not formally established for this project.\n\nContingency Planning Recommendations:\n\n1). Develop and implement an OMB-/NIST-compliant Continuous Monitoring Policy and\nattendant procedures. Input should be solicited from each CPSC department to ensure proper\npolicy coverage.\n\n2). Train all apposite resources on the continuity planning responsibilities assigned to them in the\npolicy.\n\n3). Perform, document, and approve a formal Business Impact Analysis, in accordance with\nNIST SP 800-34.\n\n4). Develop, test, and approve an agency COOP, in accordance with NIST SP 800-34.\n\n5). Develop, test, and approve an agency DR Plan, in accordance with NIST SP 800-34.\n\n6). Develop, test, and approve an agency BCP, in accordance with NIST SP 800-34.\n\n7). Develop, test, and approve an agency Cyber Incident Response plan, in accordance with\nNIST SP 800-34.\n\n8). Develop and test an ISCP for the GSS LAN and its major applications, in accordance with the\ncriteria set forth in NIST SP 800-34 and NIST SP 800-53, CP-2.\n\n9). The required testing frequency of the COOP, BR, BCP, and ISCP plans should be\ndocumented in the SSP.\n\n10). After-action plans should be drafted to document the lessons learned identified as part of the\nCOOP, DR, BCP and ISCP plan testing.\n\n11). The agency should select and establish an alternative storage site located in a different\ngeographic region than the primary storage site.\n\n12). Establish an alternative processing site with the equipment and supplies required to resume\noperations to support delivery to the site in time to support the organization-defined time period\nfor resumption.\n\nContractor Systems Review:\n\n  In FY 2010, the agency did not have documented policies and procedures to govern the\noversight of contractor systems. These policies still did not exist as of the completion of the FY\n2011 review. The CPSC does not outsource its systems to parties outside the federal government\n\n                                                                                                 17\n\x0cand all intergovernmental IT relationships are governed through Memorandums of\nUnderstanding (MOUs), Interconnect Security Agreements (ISAs), and Statements of Work\n(SOWs). It was noted in FY 2010 that a third party inventory was not maintained formally by\nthe agency. This was remediated during FY 2011, and a comprehensive list of third party\nsystems that interconnect with agency systems has been formalized and is being maintained by\nthe agency.\n\nContractor System Recommendations:\n\nPolicies and procedures should be developed, approved, implemented, and maintained by EXIT\nto ensure that appropriate oversight exists for IT systems operated by contractors or others on the\nagency\xe2\x80\x99s behalf. These policies/procedures should address expressly how security controls of\nthird party IT systems are implemented and comply with federal and agency guidelines. The\npolicies/procedures should include the following:\n\n       1). A requirement for all systems to be inventoried and third party systems identified.\n\n      2). A requirement that all third party systems have their interfaces identified and\ndocumented in the inventory.\n\n       3). Approval requirements for the third party inventory (e.g., the agency official\nresponsible for reviewing and approving the inventory should be identified and documented. The\nfrequency with which the inventory requires review and approval should also be documented).\n\n       4). The process by which the FISMA requirements are to be built into the third party\ncontracts (please see Government Information Security Reform Act of 2000 for details on what\nmust be included in government contracts).\n\n       5). The process by which system boundaries will be defined and documented.\n\n        6). What will be done to ensure that adequate security controls are in place for each of the\nthird party IT systems (e.g., agency roles responsibilities for the SSAE 16 user control testing for\neach of the in-scope third party IT systems).\n\n        7). Documentation requirements for the agency\xe2\x80\x99s ISAs with the contracted third parties\n(e.g., what information the agency requires in the ISA).\n\n        8). Documentation requirements for the agency\xe2\x80\x99s MOUs with the contracted third parties\n(e.g., what information the agency requires in the MOU).\n\n        9). Agency security requirements for the third party system (e.g., what happens if the\nthird party system loses its security accreditation?).\n\n       10). A process to ensure that the contractor remediates any security weaknesses identified\non agency POAMs associated with third party IT system.\n\n\n\n                                                                                                 18\n\x0cSecurity Capital Planning Review:\n\n   In FY 2011 it was noted the Security Capital Planning process is governed by the general\nCapital Planning and Investment Controls (CPIC) policies and procedures. It was noted that the\nCPIC policies and procedures generally meet the requirements set forth in the NIST SP 800-65\n(Integrating IT Security into the Capital Planning and Investment Control Process) guidance.\nThe policy documents, however, do not meet all of the NIST SP 800-53 and OMB M 11-33\nrequirements. Although these documents require that each development project include the costs\nassociated with all aspects of the security program, including POAM costs, specifics for how\nthese costs are to be cross-referenced to the budget materials sent to OMB in the fall are not\ncodified, as is required by OMB M-11-33. Additionally, the policy and procedures do not\nrequire that the budget documents include a discrete line item for security costs, as is required by\nNIST SP 800-53, SA-2.\n\n   Moreover, the OIG contracted Withum Smith+Brown (WS+B) to perform an Information\nTechnology Investment Management (ITIM) assessment in August 2010, which included an\naudit of the CPIC process. At that time, the agency was at Stage 1 of the ITIM framework and\npartially compliant with the stage two requirements. Although the agency was not reassessed\nthis year, it was noted that the documented policies and procedures have not been implemented\nfully.\n\n   The agency uses contract services for the majority of its IT projects. The contractors, who are\nresponsible for developing the systems, in conjunction with the CPSC Security Team, are also\nresponsible for the implementing system security. Earned Value metrics are designed and used\nto monitor project progress against the project milestones/plans for large projects, which is the\nmethod the agency uses to ensure security is properly implemented. For smaller projects and\nprojects that are managed entirely in-house, an informal process is used to monitor progress\nagainst project milestones. It was also noted that Exhibit 300s (IT Capital Asset Plans) require\nthe agency to indicate if Earned Value Management (EVM) is required for a particular contract\nor task order and for exceptions to be documented.\n\n   Additionally, it was noted that the Investment Review Board (IRB) is responsible for\nprioritizing all facets of agency investments, including IT Security investments, against the\nagency mission. The consequent prioritization results in the decision to fund or withhold\nfunding from a particular project for the next fiscal period. Furthermore, to ensure that security\nis prioritized adequately, the Information System Security Officer (ISSO) is a voting member in\nthe weekly IT management prioritization meetings, which are held, in part, to prepare investment\nrecommendations for the IRB. Moreover, the ISSO participates in the IRB in a nonvoting\ncapacity.\n\n  IT security has not been assigned a separate budget. Instead, security is funded on a project-\nby-project basis, and the project security costs are included in the project component line items\nwithin the Work Breakdown Structures (WBSs), which relate to the security requirements. To\nensure funding is available to maintain the level of security identified in the investment\ndocuments, funding for security is allocated to each project component with an associated\nsecurity component.\n\n\n                                                                                                 19\n\x0c   It was noted, however, that although IT Security is a central feature in the IT Infrastructure\ninvestment, a discrete line item for IT security does not appear in the budget documentation for\nthe IT Infrastructure investment. Additionally, resources required to implement the\nconfiguration management security requirements associated with the IT Infrastructure\ninvestment are not explicitly documented in the capital planning and investment request or\nrelated budget documents. Furthermore, the security weaknesses, with associated projects\ndocumented in the CPSC POAMs, do not all tie to the Investment budget documentation. The\nPOAMs do not include the associated UPIs, as required by OMB M-11-33; and a spend plan has\nnot been developed for the IT Infrastructure investments that can be used to tie the security costs\nassociated with the POAMs to the budget documentation.\n\nSecurity Capital Planning Recommendations:\n\n1). Policies/procedures should be developed/enhanced and implemented to ensure that POAM\nitems related to projects in the IT Investment Portfolio are properly cross-referenced to the\nbudget materials sent to OMB in the fall, including the Exhibits 53 and 300s. An example of\nhow this may be accomplished is to require that a discrete line item be included for IT security in\nall WBSs, Spend Plans, and/or Exhibit 300s. Additionally, policies/procedures should be\nenhanced and implemented to require that the investment Unique Project Identifier (UPI) be\ndocumented in each POAM. This will allow a specific investment on the Exhibit 53 to be tied to\nall of its related POAM items.\n\n2). The policies/procedures should be enhanced and implemented to require all POAMs that\nreflect estimated resource needs for correcting reported weaknesses to specify whether funds will\ncome from a reallocation of base resources or a request for new funding. While the POAMs will\nnot be used as agency funding requests by OMB, a brief rationale should be provided when a\nrequest for new funding is contemplated.\n\n3). The budget documentation for each investment should include a specific reference for all of\nits related POAMs.\n\n4). A spend plan, which includes a discrete line item for IT security costs, should be developed\nfor the IT Infrastructure and Commission Information System (CIS) investments as it has been\ndeveloped for the CPSRMS investment. Additionally, the individual investment project plans\nshould roll up to, and tie to, the spend plan.\n\n2. Security Operational Controls\n\n  Prior Finding: Security operational controls are used to assess the security of the system\nprocesses and the people who interact with or operate those systems. Because CPSC\nmanagement had not implemented sufficient operational controls in the area of personnel\nsecurity, data integrity, and documentation, CPSC management was not able to address security\nprocedures to focus on security mechanisms that affect the daily operation of the Commission.\nOMB Circular A-130, Appendix III requires that sufficient operational controls be in place for\npersonnel security, data integrity, and documentation. This condition may have been due to\n\n\n\n                                                                                                   20\n\x0cCPSC management not having the resources necessary to make implementation of operational\ncontrols a priority. The level of risk was rated \xe2\x80\x9chigh\xe2\x80\x9d for personnel security and data integrity.\n\n  Prior Recommendation: CPSC Management should implement sufficient operational\ncontrols in the area of personnel security, data integrity, and documentation to ensure efficient\nand effective management of the IT systems in support of the CPSC\xe2\x80\x99s mission.\n\n  Action Taken: Significant progress has been made since 2001, to address this issue, even\nthough gaps remain. As previously mentioned, the CPSC contracted with Patriot to develop the\nInformation System Security Plan (SSP) in 2002. Patriot reported that in order for the CPSC to\nimplement and maintain the requirements of the SSP adequately, a staff of three full-time\npersonnel (information system security officer, network security engineer, and applications\nsecurity engineer) would be needed. Qualifications and responsibilities for each position were\ndelineated in the 2003 SSP. The CPSC has since hired an Information System Security Officer\nand provided him with one staff member to implement and maintain the SSP requirements. The\nremaining responsibilities are contracted out on an \xe2\x80\x9cas needed\xe2\x80\x9d basis. However, it was noted\nthat additional internal resources are required to implement and maintain the SSP requirements\nadequately.\n\n  In FY 2007, OMB mandated that agencies adopt security configurations for Windows XP and\nVISTA, as well as a policy for ensuring that new acquisitions include common security\nconfigurations. (See OMB Memorandum M-07-11 \xe2\x80\x9cImplementation of Commonly Accepted\nSecurity Configurations for Windows Operating Systems,\xe2\x80\x9d and OMB Memorandum M-07-18\n\xe2\x80\x9cEnsuring New Acquisitions Include Common Security Configurations\xe2\x80\x9d). The CPSC has since\nformalized a Configuration Management Policy to govern this process; however, this policy was\nnot fully implemented; attendant procedures were not fully developed, and configuration\nbaselines were not all implemented.\n\n   The theory behind the requirement for agency-wide security configuration policies is that\ncommon security configurations provide a baseline level of security, reduce risk from security\nthreats and vulnerabilities, and save time and resources. This allows agencies to improve system\nperformance, decrease operating costs, and ensure public confidence in the confidentiality,\nintegrity, and availability of government information.\n\n  In FY 2009, it was noted that peer-to-peer training should be added to the training curriculum.\nThe agency has remediated this in FY 2011, by providing the CPSC resources peer-to-peer\ntraining as a separate training module.\n\nConfiguration Management Review:\n\n   As a result of the OIG\xe2\x80\x99s follow-up on actions taken to remediate prior findings, as well as the\ntesting for the FY 2011 FISMA review, several new findings were noted. Although the agency\nbaselined Windows XP in FY 2011, and it also implemented the U.S. Government Configuration\nBaseline (USGCB) [formally, the Federal Desktop Core Configuration (FDCC)] recommended\nconfigurations for Windows XP, baseline configurations were not properly documented or\nimplemented for other agency software or hardware components. This includes IE7, which is\n\n                                                                                               21\n\x0crequired explicitly by the USGCB. The agency expects to release Windows 7 on December 30,\n2011. In order to achieve compliance with the USGCB requirements, the agency is working to\nimplement the USGCB-required configurations for Windows 7 and IE8, prior to the Windows 7\nrelease in December. Additionally, the inventory of configuration baselines is incomplete, and a\nprocess was not developed to ensure that all critical hardware and software are baselined.\n\n   Although significant progress was made and tools were partially implemented to facilitate the\nagency in its efforts to develop and maintain a software/hardware inventory, the\nsoftware/hardware inventory process is not mature yet. The agency is in the process of\nimplementing a tool set that will allow a comprehensive software/hardware inventory to be\ndeveloped; however, these tools were not fully implemented, and a comprehensive\nsoftware/hardware inventory was not developed. This has prevented the agency from ensuring\nits baseline configuration inventory is complete. Furthermore, local administrative access to\nclients was not adequately controlled throughout the year, which increases the risk that unknown\nand unsecured software has been installed on the agency\xe2\x80\x99s network. Also, without a\ncomprehensive software inventory and adequate restrictions on local administrative access to\nclients, the agency is not able to achieve adequate property accountability. This is because\nsoftware license compliance is impossible to ensure without these tools and controls in place.\n\n  As mentioned earlier, SIAs are not adequately performed and documented for each system\nchange. The change control forms, which require completion prior to the change being\nimplemented, do not provide enough information to make an accurate determination of how\nsecurity will be affected as a result of the change. The resources who are performing and\ndocumenting the changes are not security experts. Because they are not experts, they are not\nqualified to complete the \xe2\x80\x9cHow Security Affected\xe2\x80\x9d section in the change control form.\nAdditionally, not all changes are approved by the ISSO prior to implementation. Therefore, an\nassessment cannot be adequately performed to determine the security impact to the operating\nenvironment and control framework.\n\n   It was also noted that the agency has formalized a patch management and change management\npolicy. However, the agency does not audit the activities associated with system change control.\nAlso, currently audits are not performed to identify all missing patches. The tools used for\nassessing compliance with the patch management process were not fully implemented at this\ntime. However, once the scanning tools are fully implemented, monthly audits will be\nperformed, and the results will be documented as part of the Continuous Monitoring process.\nThis process is expected to be fully implemented as of December 30, 2011.\n\n  It was also noted that development environments are not in place for workstations and servers,\nwhere changes and patches can be adequately tested prior to deployment. When a patch or\nchange is implemented on a workstation, it is tested on roughly five \xe2\x80\x9ctest\xe2\x80\x9d workstations that are\nnot connected to the network. However, this is insufficient for adequately testing the change.\nAdditionally, a development environment has not been implemented to test server patches and\nchanges.\n\n\n\n\n                                                                                              22\n\x0cConfiguration Management Recommendations:\n\n1). Procedures should be developed and formalized to standardize the implementation of the\nConfiguration Management process. The Configuration Management procedures should include\nthe following:\n\n       (a). timeframes in which the agency must remediate/accept identified baseline variances;\n\n        (b). the process by which the agency software requiring configuration management is\nidentified and inventoried;\n\n        (c). the process by which the agency hardware requiring configuration management is\nidentified and inventoried. The procedures should include how EXIT interacts with the business\nowners to identify the hardware requiring configuration management.\n\n        (d). the process by which the agency identifies all systems and system components that\nwill not be baselined. Currently, the policy refers to all \xe2\x80\x9cinformation systems\xe2\x80\x9d; however, not all\ninformation systems will be baselined; instead, the agency will determine the systems that\nrequire baselines and develop the configuration baselines accordingly.\n\n       (e). what information must be included in each configuration baseline SOP (e.g.,\nconfiguration settings, patch level, Software Load and Version, system architecture, where the\nresource resides on the network).\n\n2). The CPSC should develop an inventory of software and hardware requiring baselining, and\nthe process for developing this inventory should be documented in a procedure document. This\nshould be done with the assistance of the business owners. Mission-essential functions and\nsystems should be identified by the business owners, and this information should be provided to\nEXIT. EXIT should then identify and inventory the software and hardware associated with these\nfunctions.\n\n3). The CPSC should establish and document mandatory configuration settings for information\ntechnology products employed within the information system, using defined security\nconfiguration checklists that reflect the most restrictive mode consistent with operational\nrequirements.\n\n4). Implement the configuration settings.\n\n5). Identify, document, and approve exceptions from the mandatory configuration settings for\nindividual components within the information system, based on explicit operational\nrequirements.\n\n6). Monitor and control changes to the configuration settings in accordance with organizational\npolicies and procedures.\n\n\n\n\n                                                                                               23\n\x0c7). The agency should implement the Zenworks and Tenable tools on all agency clients and\nservers to develop and maintain a current and comprehensive software/hardware inventory. The\nsoftware/hardware inventory then should be used to develop an inventory of all required\nsoftware/hardware baseline configurations.\n\n8). The Tenable and Zenworks tools should also be used to facilitate the other OMB-directed\nmonthly reporting requirements.    These reporting requirements include the results of\nconfiguration management compliance, patch management compliance, and vulnerability scans.\n\n9). The agency should identify and remove all unauthorized software from the network.\n\n10). Periodic audits should be performed on the software inventory to ensure that baseline\nconfiguration documents are up-to-date.\n\n11). The process for managing IT software requests should be improved. One of the methods of\ndoing this would be with the implementation of an automated tool (i.e., SharePoint), which\nhouses all of the IT software request information and software licensing information. This tool\nshould also be used to obtain and document software request approvals and systematically\nrequire approval by the appropriate resources prior to closing/completing the new software\nrequest.\n\n12). The process for granting local administrative access to users should be improved and\nadministrative rights should be limited to only those who require the local admin access to\nperform core functions of their job. The process can also be improved by performing periodic\naudits to ensure only appropriate users have been assigned local admin access.\n\n13). Develop and enforce a process to govern software license compliance:\n\n       (a). Document a comprehensive software inventory.\n\n      (b). Document the number of instances in which each type of software is installed on the\nnetwork.\n\n       (c). Document and inventory all software licenses owned by the agency.\n\n      (d). Reconcile the software instances installed on the network with the software licenses\nowned by the CPSC, and remediate any discrepancies.\n\n       (e). Perform periodic audits to ensure future compliance.\n\n14). All USGCB/FDCC variances, along with a plan for remediation, should be documented, and\nany known residual risk accepted.\n\n15). Require sufficient granularity in the change requests to allow the security resource\nresponsible for the walkthrough and approval of the change to justify the approval decision.\n\n\n\n                                                                                            24\n\x0c16). For all system changes, perform and document a formal Security Impact Analysis (SIA),\nwhich includes sufficient granularity to allow the security resource responsible for the approval\nof the change to justify the approval decision. The SIA should capture all relevant system\nsecurity changes and be included in the change management packet, and the ISSO should\napprove all changes.\n\n17). All unremediated security vulnerabilities identified as part of the SIA should be documented\nin the POAM.\n\n18). Production changes should be audited to ensure that changes have been adequately tested,\ndocumented, and approved.\n\n19). Audits should be performed to identify all missing patches and the results of these audits\nshould be included in the Continuous Monitoring reports to OMB. The missing patches should\nthen be implemented. If the agency decides not to implement the missing patch, a formal\njustification should be provided.\n\n20). Construct a development environment for workstations and servers, and test all patches and\nchanges in these environments before deployment.\n\nIncident Response and Reporting:\n\n   The agency developed and formalized an Incident Response Policy on August 20, 2011,\nalthough it was not implemented or disseminated to the resources with key responsibilities.\nAdditionally, an Incident Reporting database was developed to track incident reports, and it\nresides on the IT Security SharePoint site. Incident Response procedures were documented in\nthe Incident Reporting database; however, these procedures were not implemented and were not\ndisseminated to the appropriate resources. The Computer Security Incident Response Team\n(CSIRT), Incident Response Team (IRT), Incident Coordination Handling and Management\nTeam (ICHM), and Branch Analyst Team (BAT) defined in the Incident Response procedures\nwere not established or trained on incident reporting responsibilities. The tasks assigned to each\nof these teams in the policies and procedures are not currently being performed. Without these\nteams established and team members trained to perform the functions outlined in the Incident\nResponse procedures, assurance cannot be given that a comprehensive analysis, validation, and\ndocumentation of all security incidents has been performed.\n\n   It was noted that the CPSC security team has been tracking the security incidents when\nnotified. However, the documented security incidents all do not include the following NIST SP\n800-61-required elements: actions taken by the incident handlers, comments from incident\nhandlers, a list of evidence gathered during the incident investigation, and the next steps to be\ntaken. Also, remediation plans were not documented for each reported incident. Agency\nmanagement asserts that, due to resource limitations, documenting a remediation plan for each\nincident is not practical.\n\n  Timeliness of the security team\xe2\x80\x99s response to Security Events cannot be attested to because not\nenough detail was included in the incident documentation. The incident documentation does not\n\n                                                                                               25\n\x0cinclude the time and date the security team was notified; therefore, the OIG could not assess how\nlong it took from security team notification to response. This process will eventually become the\nresponsibility of an IRT once the procedures are fully implemented.\n\n   Several security incidents were identified that were open for more than a month prior to\nresolution and closing. Additionally, one incident has been open for more than a month and is\nstill open. This circumstance has been attributed to the agency\xe2\x80\x99s failure to implement the\nincident response policies and procedures. The lack of adequate resources dedicated to the\nincident response process has restricted the agency\xe2\x80\x99s ability to resolve these issues in a timely\nmanner and minimize further damage that might result.\n\n  It was also noted that the agency has not developed and implemented a Forensic Incident\nResponse Policy, and the current Incident Response Policy does not include law enforcement\nnotification requirements. Additionally, on several occasions, the United States Computer\nResponse Readiness Team (US-CERT) was not notified in accordance with the timeframes\noutlined in the Incident Response Policy and in the federal guidelines for the documented\nincidents.\n\n   Additionally, nothing is in place to monitor for internal actions that may constitute threats,\nsuch as attempts to obtain unauthorized administrator rights. Moreover, although VPN and\nfirewall logs are maintained and alerts are sent in the event of certain predefined security\nincidents, these logs are not actively monitored and analyzed. Currently, logs have to be pulled\nfrom each server, which is a labor-intensive process, making it impractical to perform and report\non such analysis regularly. The implementation of Novell Sentinel is expected to remediate this\nissue. Sentinel was deployed as of June 1, 2011; however, it has not been fully implemented.\nAgency management is in the process of refining its Incident Response Policy. Once this has\nbeen done, Sentinel will be configured to monitor the parameters set forth in the policy. This is\nexpected to be completed by December 30, 2011.\n\nIncident Response and Reporting Recommendations:\n\n1). The agency should develop and implement a Forensic Incident Response Policy and attendant\nprocedures. These policies should include requirements for reporting an incident to law\nenforcement, in addition to all the other NIST SP 800-86 requirements. Additionally, how\nquickly law enforcement must be notified, based on a predetermined event, should be explicitly\ndocumented in the policy. For example \xe2\x80\x9cIn the event of a lost or stolen laptop, US-CERT and\nlaw enforcement must to be notified within one hour.\xe2\x80\x9d\n\n2). The Incident Response policy and procedures should be fully implemented and disseminated\nto all users with key incident response and reporting responsibilities.\n\n3). The CSIRT, IRT, IHCM, and BAT teams should be established, and team members should be\ntrained on the tasks assigned to each of them.\n\n4). Implement the TIC (Trusted Internet Connection) initiative. This will improve security and\nincident response, by reducing and consolidating external network connections and allowing the\n\n                                                                                              26\n\x0ccentral monitoring of network traffic for malicious activity, across the government. Agencies are\nrequired to use one of four service options under TIC: A single service model, a multiservice\nmodel, a hybrid approach, or seek services from another provider.\n\n5). Implement the Einstein 2 product. This will monitor for specific predefined signatures of\nknown malicious activity at federal agency Internet connections and alert US-CERT directly\nwhen specific malicious network activity matching the predetermined signatures is detected,\nallowing the CPSC to use US-CERT expertise.\n\n6). Implement the Novell Sentinel product. This will improve the reporting capabilities of the\nfirewall and VPN logs and allow for a meaningful analysis of both internal and external network\nactivity.\n\n7). Ensure that each report of a security incident includes all of the NIST SP 800-61-required\ninformation.\n\n8). US-CERT and law enforcement should be notified within the prescribed timeframes.\nAdditionally, all security incidents should be reported to the ISSO immediately upon discovery\nand be tracked in SharePoint going forward. This includes VPN and Firewall alerts (based on a\nTSNE defined set of criteria). Incidents should be filtered through the HEAT Ticketing system\nto the ISSO SharePoint so that all incidents are tracked and remediation documented.\nAdditionally, the TSCS team should log all incidents with security ramifications through HEAT\nand into the SharePoint solution.\n\n9). A remediation plan should be documented for all reported security incidents.\n\n10). All actions taken to address security issues should not only be date-stamped, but they also\nshould be time-stamped.\n\n11). Document the time and date the security team/IRT was first notified of the incident in the\nSharePoint tool used to monitor the incidents.\n\nSecurity Training:\n\n  Security Awareness and Training policies and procedures are missing one key element;\nhowever, these documents are much improved over last year\xe2\x80\x99s review. The training policies and\nprocedures were updated and approved on August 10, 2011; however, they do not include the\nrequirement that the agency provide security training based on the 25 user groups outlined in\nNIST SP 800-16.\n\n   The agency does not provide role-based training to its resources. Instead of developing\nindividualized security training for each of the 25 specific user groups outlined in NIST SP 800-\n16, the agency provides two training courses, one for personnel within the IT department with\nsignificant information security responsibilities, and one for all other CPSC personnel.\nAdditionally, the training provided to the non-IT personnel was not designed to address IT\n\n\n\n                                                                                              27\n\x0csecurity from a System Development Lifecycle (SDLC) perspective, as required by NIST SP\n800-16.\n\n   Additionally, it was noted that the agency used a different solution to provide security\nawareness training in FY 2011 than it did in FY 2010. The solution used in FY 2011 is capable\nof accurately reporting on the security training completion statistics that remediated the reporting\nissues that arose last year.\n\n   It was also noted that only 67.5 percent of CPSC personnel completed their security awareness\ntraining in FY 2011. This is substantially less than the 90 percent completion rate that OMB\nrequires. This has been a recurring problem. As the consequences defined in the policy are not\nenforced, the CPSC resources have not prioritized the completion of this training.\n\nSecurity Training Recommendations:\n\n1). The agency should develop a NIST SP 800-16-compliant training program.\n\n        (a). The Security Awareness and Training and procedures should require each \xe2\x80\x9cuser\ngroup\xe2\x80\x9d defined within the agency to be provided security training specifically developed for their\nrole within the agency.\n\n        (b). The training criteria, if not the content, for each user group should be outlined in the\npolicy. For details on the required training criteria, please see NIST SP 800-16, pages 98\xe2\x80\x93154;\nNIST SP 800-16, appendix E; and summaries in NIST SP 800-50, pages 25\xe2\x80\x9327.\n\n2). Agency management should assign all agency resources to one of the 25 user groups\ndocumented in NIST SP 800-16.\n\n3). Once assigned to a NIST SP 800-16 defined user group, agency management should then\nselect appropriate training courses and provide security training to those agency resources\ncommensurate with their user groups. The DHS Information System Security Line of Business\n(ISSLOB) has been working with agencies to develop a standardized curriculum and to select\ninformation security Shared Service Centers (SSC). The ISSLOB SSCs provide an efficient and\ncost-effective solution for agencies to procure general information security training for\nemployees and contractors. For more information on this program, contact the ISSLOB program\nmanagement office at isslob@dhs.gov.\n\n3). Revoke access to all users who have not completed the security awareness training until the\ntraining is complete, as is provided for in the Security Awareness Training policy.\n\n3. Security Technical Controls\n\n   Prior Finding: Security technical controls are specific to the system\xe2\x80\x99s ability to identify,\ntrack, and act on authorized or unauthorized usage. Because CPSC management had not\nimplemented sufficient technical controls in the areas of identification and authentication, logical\naccess, and audit trails, the CPSC management left sensitive information vulnerable. This\n\n                                                                                                  28\n\x0ccondition appears to have been due to CPSC management not having the resources necessary to\nmake implementation of sufficient technical controls a priority. The level of risk was rated high\nfor identification and authentication and logical access.\n\n  Prior Recommendation: CPSC management should implement sufficient technical controls in\nthe areas of identification and authentication, logical access, and audit trail in order to protect the\ninformation that is used to support the Commission\xe2\x80\x99s mission.\n\n  Action Taken: The effectiveness of six of the CPSC\xe2\x80\x99s systems, and the underlying elements of\neach, were tested during the FY 2001 audit. Weaknesses identified in controls related to these\nsystems contributed to the overall condition of the CPSC\xe2\x80\x99s information security program.\nManagement was advised of specific weaknesses and recommendations, each of which was to be\naddressed during the implementation of the SSP and Systems Certification and Accreditation\ncontract. Weaknesses outlined in the SSP were to be corrected in all applications. Additional\nsystems were not tested because management was in the process of implementing prior\nrecommendations, the implementation of which would alter the policies and procedures\napplicable to all applications. As reported in the management response to the original audit, the\nCPSC requested, without success, funding in fiscal years 1999 through 2002, to establish a\ncapital budget for information technology. The need for such funds was also included,\nunsuccessfully, in the CPSC\xe2\x80\x99s FY 2003 and 2004 budget requests. Budget requests cited the\nneed for new investments to protect the current operating capability and efficiency of\ninformation technology. According to the Budget Officer, in the absence of a capital budget for\ninformation technology, the CPSC has applied some savings from operating funds to this area.\nIn FY 2002, the CPSC committed more than $500,000 from one-time salary savings to this area\nto develop an SSP, address data system weaknesses, enhanced firewall intrusion detection\ncapabilities, and other operating and system application enhancements. In FY 2003, the total\nCPSC EXIT commitment was $714,891 in the form of salaries and other expenses. In FY 2004,\nthe CPSC committed $715,000 for its Information Technology programs. In FY 2005, this\nfigure rose to $1,035,100. In FY 2006, the CPSC spent $2,082,050 on its IT programs. In FY\n2007, the CPSC committed $6,300,000 to its IT program. In FY 2008, the CPSC\xe2\x80\x99s commitment\nrose to 30 FTEs and $13,000,000. In FY 2010, the CPSC\xe2\x80\x99s commitment rose again to\n$18,884,618 [$9,371,016 for EXIT-IT (which included the creation of a \xe2\x80\x98sub-budget\xe2\x80\x99 for Capital\nReplacement of $1,000,000) and $9,513,602 for EXIT-Administration Services (EXIT-AS)\nrespectively] and 34 FTEs. In FY 2011, the agency was reorganized, and Administration\nServices is no longer a part of EXIT. Therefore, the aggregate spend on EXIT decreased;\nhowever, due to the IT modernization effort, the CPSC\xe2\x80\x99s commitment to the EXIT IT common\ncosts rose again to $13,787,040. FTEs also increased from 34 in FY 2010 to 36.6 in FY 2011.\nWork on implementing the recommendations contained in the SSP and more recent guidance\ncontinues.\n\n  The CPSC acknowledges its need for continued improvement. Over the past few years, the\nCPSC has met the following goals in its effort to improve its security technical controls:\nimplementing a security awareness training program; providing a redundant cooling capability to\nthe agency\xe2\x80\x99s existing computer room air conditioning unit; providing the ability to recover\nquickly from an e-mail server failure by periodically taking and storing e-mail \xe2\x80\x9csnapshots\xe2\x80\x9d of the\ne-mail database; implementing the ability to perform automated system auditing; implementing\n\n                                                                                                    29\n\x0cthe monitoring of Internet usage; implementing multifactor authentication for users with remote\naccess to the VPN; implementing a solution to restrict access to client USB ports by\nnonencrypted flash drives; and implementing a tool that allows the agency to inventory all\nnetwork user accounts.\n\nRemote Access Management review:\n\n   Formal documented policies for authorizing, monitoring, and controlling remote access were\ndeveloped and formalized in FY 2011. However, it was noted that Remote Access Management\npolicies had the following weaknesses. A list of the security functions and security-related\ninformation that can be accessed remotely must be included. It also must document the\nadditional controls in place to ensure that these functions are not misused. Additionally, the\nRemote Access policies must list the organization-defined networking protocols that are deemed\nto be nonsecure and must require the agency to route all remote traffic through managed access\npoints. It is important to note that the agency is aware of the requirement to route all remote\ntraffic through managed access points, and it has decided to formally accept the associated risk.\n\n   Additionally, although Teleworking and Remote Access procedures have been developed,\nthey do not address several operational topics. The procedures do not provide for checking for\nupgrades and patches to the remote access software components, and acquiring, testing, and\ndeploying those updates. Also, it was noted that the procedures do not document a process to\nensure that each remote access infrastructure component (i.e., servers, gateways, authentication\nservers) has its clock synched to a common time source, so that its time stamps will match those\ngenerated by other systems. Additionally, the procedures do not address reconfiguring access\ncontrol features, as needed, based on factors such as: policy changes, technology changes, audit\nfindings, and new security needs. Moreover, the procedures do not address detecting and\ndocumenting anomalies identified within the remote access infrastructure. Such anomalies might\nindicate malicious activity or deviations from policy and procedures. Anomalies should be\nreported to other systems\xe2\x80\x99 administrators, as appropriate. Furthermore, procedures in place for\nmonitoring remote access are inadequate. VPN and firewall logs are not reviewed to monitor\nremote access, although alerts are sent to engineers in the instance of select predefined security\nevents. CPSC management has attributed this to current system limitations, making the active\nmonitoring of these logs impractical; management has also attributed this to an overall lack of\nresources.\n\n   Additionally, the policy and procedures are not fully implemented. The Remote Access\nPolicy states that remote sessions time-out after 30 minutes of inactivity; however, sessions are\nconfigured to time-out after 90 minutes of inactivity. The agency is aware of this and has\ndecided to accept the risk associated with the 90-minute-session lock-out. The agency has a\npolicy that requires all sensitive information to be encrypted prior to being sent outside of the\ninternal network; however, the agency has not implemented a tool to facilitate compliance with\nthis requirement. Therefore, there is an extremely high likelihood that users send unencrypted,\nsensitive files over public networks.\n\n  It was also noted that not all users are uniquely identified and authenticated to the network. A\nformal process was not implemented to control the establishment of common E-Directory and\n\n                                                                                               30\n\x0cAD accounts. Additionally, credentials are not changed on these accounts when users separate\nfrom the agency or change job functions. Moreover, generic administrator IDs are being used by\nthe Network Engineering Team and the Computer Support Team. Furthermore, the tasks\nperformed by the administrator while using these IDs are not being monitored. Agency\nresources who have administrative rights, access the GSS remotely, using administrator\naccounts. No separate accounts have been created for these users to telework or perform\nnonadministrative tasks.\n\n  Additionally, reports of lost or stolen devices with access to the CPSC network are not\nadequately documented or tracked. For example, a Blackberry telephone was lost on July 1,\n2011; however, the ISSO, who is responsible for notifying US-CERT, was not notified of this\nincident until August 9, 2011, more than 1 month after its occurrence. Per OMB M-7-16, US-\nCERT is required to be notified within 1 hour of detection.\n\nFY 11 Remote Access Management Recommendations:\n\n1). The following elements should be added to the Remote Access policy:\n\n       (a). the list of security functions and security-related information that can be accessed\nremotely;\n\n      (b). the controls employed by the agency to ensure that these functions and data are not\nmisused; and\n\n       (c). the specific audit procedures the agency uses to ensure that the controls are effective.\n\n2). The agency should draft a list of network protocols that it deems to be insecure and restrict\nthe access to these protocols. Additionally, these protocols should be documented in the Remote\nAccess policy/procedures.\n\n3). The following criteria should be added to the Remote Access procedures and implemented:\n\n       (a). checking for upgrades and patches to the remote access software components, and\nacquiring, testing, and deploying the updates;\n\n       (b). ensuring that each remote access infrastructure component (e.g., servers, gateways,\nauthentication servers) has its clock synched to a common time source so that its time stamps\nwill match those generated by other systems.\n\n      (c). reconfiguring access control features, as needed, based upon factors such as policy\nchanges, technology changes, audit findings, and new security needs;\n\n        (d). detecting and documenting anomalies identified within the remote access\ninfrastructure. Such anomalies might indicate malicious activity or deviations from policy and\nprocedures. Anomalies should be reported to other systems\xe2\x80\x99 administrators, as appropriate.\n\n\n\n                                                                                                  31\n\x0c4). The agency should follow the documented Remote Access Policy and the NIST-mandated\n30-minute lock-out requirement for remote sessions.\n\n5). The agency should comply with NIST requirements and route all remote traffic through\nmanaged access points.\n\n6). All nonrequired common E-Directory and AD user accounts should be disabled.\n\n7). All agency-accepted common user accounts should be documented and approved.\n\n8). A formal process should be implemented to approve the creation of new common user\naccounts.\n\n9). A formal process should be implemented to establish membership in the common agency\naccounts.\n\n10). A formal process should be implemented to disable common user accounts once they are no\nlonger required.\n\n11). A formal process should be implemented to change the common user account\xe2\x80\x99s credentials\nonce a member separates from the agency or changes job functions and no longer requires access\nto the account.\n\n12). The common user account inventory should be reviewed periodically to ensure common\nuser accounts remain appropriate and that membership to these user accounts remains\nappropriate.\n\n13). Administrators should be granted local admin accounts on each of the machines. Only one\nperson should know the System Administrator password, and the password should be checked\nin/checked out when this access is required.\n\n14). A formal process should be implemented that requires the credentials on shared\nadministrator accounts to be changed whenever a user with knowledge of these credentials\nseparates from the CPSC or changes job functions.\n\n15). Actively monitor remote user access. This may be facilitated by the implementation of the\nNovell Sentinel (or equivalent) tool. Additionally, results of these analyses should be reported to\nthe ISSO.\n\n16). Create separate nonadministrative user accounts for administrators, and require the\nadministrators to use these accounts when they are performing tasks that do not require\nadministrative privileges.\n\n17). Implement a tool (e.g., Acceleron) to allow agency resources to encrypt sensitive documents\nprior to transmission across a public network, and train users of the tool.\n\n\n\n                                                                                                32\n\x0c18). Perform periodic audits to ensure compliance with the policy of encrypting sensitive\ndocuments prior to transmission across a public network.\n\n19). All security incidents should be reported to the ISSO immediately upon discovery and\ntracked in SharePoint. This includes VPN and Firewall alerts (based on a TSNE defined set of\ncriteria). Incidents should be filtered through the HEAT Ticketing system to the ISSO\nSharePoint so that all incidents are tracked and remediation is documented. Additionally, the\nTSCS team should log all incidents with security ramifications through HEAT and into the\nSharePoint solution. (This recommendation also appears in the Incident Response and Reporting\nsection).\n\nIdentity and Access Management review:\n\n   The agency formalized the General Access Control policy on August 10, 2011. However, it\nwas noted that General Access Control policy did not include roles and responsibilities and how\nthe agency coordinates access control responsibilities among the CPSC branches. Additionally,\nit was noted that the procedures outlined in the policy document did not include the following\nkey elements: the process by which network accounts are established and controlled; the process\nby which common/shared network accounts are established and controlled; the process by which\ntemporary, emergency, and guest accounts are established and controlled; the process by which\nthe agency establishes and controls system accounts; and account modification procedures.\nFurthermore, it was noted that individual system access control SOPs for the agency\xe2\x80\x99s major\napplications are not referenced in the General Access Policy. Even more, an Access Control\nPolicy and attendant procedures were not developed for CPSRMS.\n\n   It was also noted that although the General Access Control Policy was formalized, it was not\nfully implemented. The General Access Control Policy requires that agency management audit\nall users with access to the CPSC systems and confirm that group access settings are accurate\nand that the results are submitted to the ISSO for record and maintenance purposes. However,\nthis is not being done.\n\n   The CPSC GSS does not uniquely identify and authenticate network devices before\nestablishing a connection to the CPSC GSS. The agency is in the process of implementing a\nsolution, which is expected to remediate this issue. The solution is scheduled for implementation\non December 30, 2011.\n\n  The CPSC users are not all required to access the network using multifactor authentication.\nHowever, the agency has restricted remote access to the network without the use of multifactor\nauthentication and is planning on limiting local access without multifactor authentication by\nDecember 30, 2011.\n\n  Because a formal process has not yet been defined, users are being established without proper\nauthorization from EXRM. Additionally, access modifications are not always made based on\nformal management requests.\n\n\n\n\n                                                                                              33\n\x0c  The agency has not implemented the Principle of Least Privilege for CPSRMS. All CPS360\nusers can view all incident reports, even those which were not approved for Public consumption,\nwhether or not their job function required access to these data views. The agency has not\nimplemented the Principle of Least Privilege and proper separation of duties for the GSS LAN.\nThe agency does not have the ability to report on users with access to specific security functions\nwithin AD or E-Directory. Because the agency has not implemented a solution that will allow\nthem to develop reports with this level of granularity, the Principle of Least Privilege cannot be\napplied. There are only two types of network accounts: typical user accounts (with no access to\nany security function) and administrator accounts (with access to all security functions). If a user\nhas administrator access, they can perform all security functions even if their specific job\nfunction does not require this ability. Additionally, administrators have sufficient access to\nperform system administration and access and alter the audit logs.\n\n   It was also noted that the process for disabling network accounts immediately upon an\nemployee or contractor\xe2\x80\x99s separation from the agency is not being implemented consistently.\nEmployees and contractors who have previously separated from the agency have been identified\nby the OIG as still having access to the network. The weakness in the process of disabling\ncontractor accounts immediately upon contractor separation has been attributed to the lack of due\ndiligence on the COTRs who are responsible for notifying EXRM of the contractor\xe2\x80\x99s departure.\nAdditionally, a centralized contractor database, housing HR information such as hire and\ndeparture dates, which EXRM can readily query, currently, is not employed. The lack of a\ncentralized database to track contractor departures limits EXRM\xe2\x80\x99s ability to effectively notify\nclearing officials of all separating contractors on a periodic basis, which would mitigate much of\nthe risk of this manual process.\n\n  As is also noted in the Remote Access Management section, a formal process was not\nimplemented to control the establishment of common E-Directory and AD accounts.\nAdditionally, credentials are not changed on these accounts when users separate from the agency\nor change job functions. Moreover, generic administrator IDs are used by the Network\nEngineering Team and Computer Support Teams.\n\n   Also mentioned previously, it was noted that the agency uses common network accounts.\nHowever, the purpose of several of these common network accounts was not known to\nmanagement at the time of the review, and some accounts were enabled that had not been logged\ninto since 2001. As a result of this review, the agency has disabled and removed several of the\ncommon network accounts deemed to be inappropriate. However, a process should be instituted\nthat requires all common user accounts to be inventoried and reviewed periodically for continued\nlegitimacy.\n\nIdentity and Access Management Recommendations:\n\n1). Update the policy to include roles and responsibilities and to document how access control\ntasks are coordinated among CPSC branches. Also, this document, along with the related SOPs\nshould be disseminated to all users with key access control responsibilities.\n\n\n\n\n                                                                                                 34\n\x0c2). The following elements should be included in the General Access Control Policy and\nprocedure documents:\n\n       (a). The process by which common network accounts are established and controlled.\nThis should include how common/anonymous accounts are authorized and monitored.\n\n        (b). The process by which temporary, emergency and guest accounts are established and\ncontrolled. This should include guidance on how guest/temporary are authorized and monitored.\nThe process for notifying account managers when temporary accounts are no longer required\nshould also be defined, in addition to deactivating temporary accounts that are no longer\nrequired.\n\n          (c). The process by which the agency establishes and controls system accounts.\n\n       (d). Specific procedures for the establishment and modification of user accounts,\nincluding a requirement for all new administrators to follow the formal user access request\nprocess.\n\n          (e). Individual system access control SOPs should be referenced in the General Access\npolicy.\n\n2). Draft, approve, and implement NIST compliant Access Control policies and procedures for\nCPSRMS.\n\n3). ITTS Branch Chiefs and program managers should perform periodic user access audits to\nensure that user privileges remain appropriate. These results should be reported to the ISSO for\nrecord and maintenance purposes.\n\n4). Implement a tool (e.g., StillSecure) that uniquely identifies and authenticates devices prior to\nestablishing a connection to the CPSC GSS.\n\n5). Require all agency users to use multifactor authentication to access the GSS LAN.\n\n6). The agency should apply the Principle of Least Privilege to the CPSRMS application. The\nagency should enhance the role-based approach taken when CPSRMS was developed. The role\nmatrix, which defines what privileges each role has been assigned, should be enhanced further to\ninclude what data-viewing rights users with these associated roles are allowed.\n\n7). Implement the Principle of Least Privilege within the GSS LAN.\n\n       (a). The agency should define and document the functions/duties which have a significant\nimpact on agency operations and assets (e.g., create users accounts, modify firewall rules,\nmodify antivirus settings, reset passwords, and modify DHCP)\n\n       (b). The agency should revoke access to all users who have, but do not require, access to\nthe functions defined above.\n\n                                                                                                 35\n\x0c       (c). The agency should review the logs of all admin/super user accounts and restrict this\naccess if these levels of privilege are not specifically necessary to perform required job\nfunctions.\n\n         (d). The agency should document the system controls in place (e.g., blocked ports,\nrestricted protocols).\n\n       (e). The agency should document the specific access controls in place for\nproviding/controlling access required for the duties, functions and system restrictions described\nabove. Documentation can be in the form of access control policies (e.g., identity-based policies,\nrole-based policies, attribute-based policies).\n\n       (f). Require administrators to use a nonadministrative user account to perform tasks that\ndo not necessitate the use an administrator account.\n\n8). Implement a solution that will allow the agency to report on the specific privileges assigned\nto each AD and E-Directory user account. These reports should be granular enough to report on\nwhich security function has been assigned to each user account. Periodic audits of these reports\nshould be conducted to ensure access remains appropriate.\n\n9). Limit administrator\xe2\x80\x99s access to update audit logs and implement and configure Novell\nSentinel to audit changes to the audit logs.\n\n10). Implement the Novell Sentinel tool and actively monitor tasks performed by resources with\napproved conflicting duties.\n\n11). Revoke the separated user\xe2\x80\x99s access to E-Directory and AD.\n\n12). Implement a solution to systematically disable users after 30 days of inactivity.\n\n13). Develop, formalize, and implement an SOP that outlines exactly what the EXRM, COTR,\nand TSCS\xe2\x80\x99s responsibilities are related to revoking access for a departing employee and\ncontractor.\n\n14). Formalize a periodic review all E-Directory and AD user accounts (including common and\nsystem accounts) to ensure that only appropriate accounts are enabled.\n\n15). TSCS should formally reconcile the current separations, as indicated on the weekly EXRM\nStaffing report, to all the CPSC IT system ACLs to ensure all user accounts are adequately\nrevoked.\n\n16). A central contractor database that maintains records of all current and separated contractors\nshould be developed and linked to the FPPS application to allow adequate reporting of contractor\nseparations.\n\n\n\n                                                                                               36\n\x0c  Performance Measures: Security responsibilities and authorities have been defined for the\nChief Information Officer, Information System Security Officer, and program officials in the\nCPSC's SSP. The performance measures detailed in NIST 800-26 have been incorporated into\nexisting organizational goals for IT security in the SSP.\n\n   After the STE Evaluation in FY 2007 resulted in the decertification of the CPSC's system,\nmuch work was put into regaining system certification, which was achieved in FY 2008. NIST\n800-53 controls were incorporated by the agency, and future certification and accreditation work\nshould have been consistent with the most recent NIST Special Publication requirements. It was\nassumed at this time that the remaining security vulnerabilities would be addressed as\nexpeditiously as possible. However, in FY 2009, it was found that only five of the existing 63\nvulnerabilities shown in the 2007 STE Evaluation were addressed. Moreover, the results of the\nST&E performed in FY 2010 reflected a high number of control deficiencies [147 (\xe2\x89\x8856%) of the\napplicable 261 NIST 800-53 controls], which have to be addressed as soon as possible. In FY\n2011, it was noted that the agency had not performed an independent security control assessment\nfor the GSS LAN and its applications during FY 2011. Therefore, the status of all of these\nremediation efforts is not known at this time. However, it was noted that the security control\nweaknesses identified as a result of the FY 2010 review have not all been adequately remediated.\n\nPerformance Measure Recommendations:\n\nAn independent security control evaluation should be performed and the security weaknesses\nidentified should be remediated to allow the agency to become compliant with the NIST SP 800-\n53 control requirements for the GSS LAN and its applications.\n\nSecurity Capital Planning Management Response:\n\nWe appreciate the opportunity to review and respond to the Office of Inspector General\xe2\x80\x99s audit\nfindings regarding Security Capital Planning. Thank you for your recommendations to improve\nour efforts to build security into every IT investment appropriately from the start. We concur\nwith all of your recommendations and will build these recommendations into improvements in\nthe management of our IT program. Following, is our response to each of the recommendations\nand points of improvement.\n\nOIG Recommendation # 1: Policies/procedures should be developed/enhanced and\nimplemented to ensure that POAM items related to projects in the IT Investment Portfolio are\nproperly cross-referenced with the budget materials sent to OMB in the fall, including the\nExhibits 53 and 300s. An example of how this may be accomplished would be to require that a\ndiscrete line item be included for IT security in all WBSs, Spend Plans, and/or Exhibit 300s.\nAdditionally, policies/procedures should be enhanced and implemented to require that the\ninvestment Unique Project Identifier (UPI) be documented in each POAM. This will allow a\nspecific investment on the Exhibit 53 to be tied to all of its related POAM items.\n\nResponse:       We will modify our Capital Planning and Investment Control (CPIC) policy,\nprocesses, standards, and guidance to identify the linkage between the IT Investment (Exhibit 53\nline item), IT project, and security POA&M item.\n\n                                                                                                37\n\x0cOIG Recommendation # 2: The policies/procedures should be enhanced and implemented to\nrequire all POA&Ms, which reflect estimated resource needs for correcting reported weaknesses,\nto specify whether funds will come from a reallocation of base resources or a request for new\nfunding. While the POA&Ms will not be used as agency funding requests by OMB, a brief\nrationale should be provided when a request for new funding is contemplated.\n\nResponse:      We are currently reviewing and anticipate establishing new processes to create\nand maintain POA&M items. We will include in these requirements dollar costs and/or staff\nhours to implement the item. In addition, we will identify the source of funding (e.g., IT\ninvestment) to address the item and whether the item requires additional funding (e.g., midyear\nor budget year request).\n\nOIG Recommendation # 3: The budget documentation for each investment should include a\nspecific reference for all of its related POAMs.\n\nResponse:       IT governance improvements have generally focused in areas where the rate of\nchange is the greatest and these investments (i.e., CPSRMS, ITDS/RAM, cpsc.gov redesign)\nhave spend plans. We will create spend plans for all of our major IT investments, including IT\nInfrastructure and CIS. The spend plans will include costed security work and reference\nPOA&Ms, where applicable.\n\nOIG Recommendation # 4: A spend plan that includes a discrete line item for IT security costs\nshould be developed for the IT Infrastructure and Commission Information System (CIS)\ninvestments just as it has been developed for the CPSRMS investment. Additionally, the\nindividual investment project plans should roll up to, and be tied to, the spend plan.\n\nResponse:       IT governance improvements have generally focused in areas where the rate of\nchange is the greatest and these investments (i.e., CPSRMS, ITDS/RAM, cpsc.gov redesign)\nhave spend plans. We will create spend plans for all of our major IT investments, including IT\nInfrastructure and CIS. The spend plans will include costed security work and reference\nPOA&Ms, where applicable.\n\n\n\n\n                                                                                                 38\n\x0c"